- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 18 Jun 2011 06:22:22 -0700
On Sat, Jun 18, 2011 at 1:01 AM, Anne van Kesteren <annevk at opera.com> wrote: > On Sat, 18 Jun 2011 00:31:42 +0200, Ian Hickson <ian at hixie.ch> wrote: >> >> The reason we _didn't_ send credentials by default for <img> was that most >> cross-origin images are going to be static, and it would be a huge pain >> for the server to have to do per-connection work to determine the HTTP >> headers each time. With EventSource, that's a non-issue, since the server >> is going to have to do lots of much heavier per-connection work anyway. > > I think we should change CORS to allow * for credentialed requests. People > have already asked for that. That would also allow dropping the > crossorigin="" attribute which complicates the request model for the > elements it is applicable to a lot. (Too much, in my opinion.) > > (I designed CORS in such a way it could be used for <img> and such without > the need to introduce new syntax.) Without the crossorigin attribute, we'd need to send the Origin header with every image request. That might or might not be desirable, but it's something to consider. Adam
Received on Saturday, 18 June 2011 06:22:22 UTC